Could not find the documentation on "How to write the config file"

[NishikaDeSilva]

Summary

I want to exclude false-positives using the config file in GoSec. I understand that this can be done by giving the option -config . However, there is no proper detailed documentation on the syntax of writing this file.

Is there any documentation other than readme on this? If not can you please make a detailed document?

[ccojocar]

We have some documentation on this website https://securego.io/docs/rules/rule-intro.html, which is stored in this repository https://github.com/securego/securego.github.io but the config part is not covered.

Happy to accept a pull request if you are willing to contribute. Please just reach out to me on slack if you need any help.

[nanikjava]

@ccojocar what needs to be done for the documentation ? keen to help out for this ticket.

[ccojocar]

@nanikjava You can try to add some documentation for configuration keys in https://github.com/securego/securego.github.io. These are some places to check in the code where the configuration is parsed:

• gosec/cmd/gosec/main.go

  Line 163 in fd5472c

  func loadConfig(configFile string) (gosec.Config, error) {

• https://github.com/securego/gosec/blob/master/config.go
• https://github.com/securego/gosec/blob/master/config_test.go

It would be also nice to add in the docs a sample file for configuration.

[nanikjava]

@ccojocar Going through the above mentioned code found that the complete JSON file will look like this

{
  "global": {
    "nosec": true,
    "audit" : "enabled",
    "show-ignored" : true,
    "#nosec" : "#falsePositive"
  }
}

Is this correct ?

[ccojocar]

I think there are a few more config flags. For instance each rule can be enabled/disabled.

You can search trough the code to find all invocations of

func (c Config) Get(section string) (interface{}, error)

and

func (c Config) GetGlobal(option GlobalOption) (string, error)

[nanikjava]

Went through the code as you suggested found the following for Set(..) and Get(..) (both inside config_test.go)

		It("should be possible to save configuration to file", func() {
			configuration.Set("G101", map[string]string{
				"mode": "strict",
			})

			buffer := bytes.NewBuffer([]byte{})
			nbytes, err := configuration.WriteTo(buffer)
			Expect(int(nbytes)).ShouldNot(BeZero())
			Expect(err).ShouldNot(HaveOccurred())
			Expect(buffer.String()).Should(Equal(`{"G101":{"mode":"strict"},"global":{}}`))
		})
	})

	Context("when configuring rules", func() {
		It("should be possible to get configuration for a rule", func() {
			settings := map[string]string{
				"ciphers": "AES256-GCM",
			}
			configuration.Set("G101", settings)

			retrieved, err := configuration.Get("G101")
			Expect(err).ShouldNot(HaveOccurred())
			Expect(retrieved).Should(HaveKeyWithValue("ciphers", "AES256-GCM"))
			Expect(retrieved).ShouldNot(HaveKey("foobar"))
		})
	})

Is this what you referring to ?

[ccojocar]

Yeah, some rules have specific settings (e.g. hardcoded credentials).

[ccojocar]

https://github.com/securego/gosec?tab=readme-ov-file#configuration